GDPR: Why the EU General Data Protection Regulation is important to you

GDPR is the most comprehensive reorganization of data protection in Europe. Becoming effective from the 25th of May, new laws will apply to strengthen the protection of personal data. We present the most important changes in a three-part blog series.

The General Data Protection Regulation (GDPR) harmonizes data protection laws across the European Union. It aims to protect personal data on the one hand and to ensure the free movement of such data within the single European market on the other. On 25 May 2018, a two-year transitional period will expire, which has been granted to companies to implement the new requirements. From this date on, they will face heavy fines for violations.

GDPR is not only important for data processing companies, but also for you as a user. In a three-part blog series, we present the most important (new) regulations. In the first part, we will explain what rights you as a consumer will be able to claim in the future when it comes to privacy issues.

People affected by the processing of personal data have the following rights under GDPR:

Right to information (Article 12 ff.)
A data subject must be informed immediately about the processing and his or her rights when collecting data, for example when ordering a newsletter. Part 3 of our blog series explains exactly how this should be done.

Right of access (Article 15)
Users may request confirmation as to whether personal data concerning them is being processed. If this is the case, the controller must provide a copy of all personal data, including information on the purposes of processing, duration of storage, origin and transfer of data to a third country or to an international organisation.

Right to rectification (Article 16)
A data subject can obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to erasure / “Right to be forgotten” (Article 17)
In analogy to the right to rectification, a user can obtain from the controller the erasure of personal data concerning him or her without undue delay. However, certain prerequisites must be met for this. Learn more about this in part 3 of our blog series.

Right to restriction of processing (Article 18)
Under certain circumstances, a data subject can obtain from the controller restriction of processing of his or her personal data, for example if he or she contests the accuracy of the data or if the processing is unlawful.

Right to data portability (Article 20)
In the future, users will have the right to transfer data, which they have provided, to another application, for example, from one social network to another. The controller must provide this data in a “structured, commonly used and machine-readable format”. This should make it easier for users to change providers without losing data. However, it is not yet clear how this will be technically implemented.

Right to object (Article 21 ff.)
Users have the right to object at any time to the processing of their personal data. However, there is no guarantee that such an objection will succeed, as this depends on different conditions. We will discuss this in detail in part 2 of our blog series.

GDPR adopts some of the central regulations of the strict German Federal Data Protection Act (in German: Bundesdatenschutzgesetz, BDSG) and tightens them to some extent. This will be highlighted in the second part of our blog series. In part 3 we introduce the innovations of GDPR, which go beyond the requirements of the BDSG.